From 91c3deba3cc25b96eb106309df69419deb30517b Mon Sep 17 00:00:00 2001
From: Tomi Turtiainen <tomi.turtiainen@gmail.com>
Date: Wed, 30 Oct 2019 00:11:46 +0200
Subject: [PATCH] helmet: Add featurePolicy (#39673)

feture-policy provides TS typings with it, but it doesn't export the
interface for the options parameter. We could have used conditional
typings and infered the type of the parameter, but that would have
restricted the minimum TS version to 2.8, so instead I created the
interface definition here.

Resolves #37627
---
 types/helmet/helmet-tests.ts | 25 +++++++++++++++++++++++++
 types/helmet/index.d.ts      | 14 ++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/types/helmet/helmet-tests.ts b/types/helmet/helmet-tests.ts
index 39414a7d5f..c028faefa0 100644
--- a/types/helmet/helmet-tests.ts
+++ b/types/helmet/helmet-tests.ts
@@ -18,6 +18,16 @@ function helmetTest() {
         action: 'deny'
       }
     }));
+    app.use(helmet({
+      featurePolicy: {
+        features: {
+          fullscreen: ["'self'"],
+          vibrate: ["'none'"],
+          payment: ['example.com'],
+          syncXhr: ["'none'"]
+        }
+      }
+    }))
 }
 
 /**
@@ -244,3 +254,18 @@ function permittedCrossDomainPoliciesTest() {
     app.use(helmet.permittedCrossDomainPolicies({}));
     app.use(helmet.permittedCrossDomainPolicies({ permittedPolicies: 'none' }));
 }
+
+/**
+ * @summary Test for {@see helmet#featurePolicy} function.
+ */
+function featurePolicyTest() {
+  app.use(helmet.featurePolicy({
+    features: {
+      fullscreen: ["'self'"],
+      vibrate: ["'none'"],
+      payment: ['example.com'],
+      syncXhr: ["'none'"]
+    }
+  }));
+}
+
diff --git a/types/helmet/index.d.ts b/types/helmet/index.d.ts
index cc1ef2f8bf..3850fc3593 100644
--- a/types/helmet/index.d.ts
+++ b/types/helmet/index.d.ts
@@ -13,6 +13,7 @@ declare namespace helmet {
     export interface IHelmetConfiguration {
         contentSecurityPolicy?: boolean | IHelmetContentSecurityPolicyConfiguration;
         dnsPrefetchControl?: boolean | IHelmetDnsPrefetchControlConfiguration;
+        featurePolicy?: IFeaturePolicyOptions;
         frameguard?: boolean | IHelmetFrameguardConfiguration;
         hidePoweredBy?: boolean | IHelmetHidePoweredByConfiguration;
         hpkp?: boolean | IHelmetHpkpConfiguration;
@@ -26,6 +27,12 @@ declare namespace helmet {
         permittedCrossDomainPolicies?: boolean | IHelmetPermittedCrossDomainPoliciesConfiguration;
     }
 
+    export interface IFeaturePolicyOptions {
+        features: {
+            [featureName: string]: string[];
+        };
+    }
+
     export interface IHelmetPermittedCrossDomainPoliciesConfiguration {
         permittedPolicies?: string;
     }
@@ -196,6 +203,13 @@ declare namespace helmet {
          */
         dnsPrefetchControl(options?: IHelmetDnsPrefetchControlConfiguration): express.RequestHandler;
 
+        /**
+         * @summary Restrict which browser features can be used
+         * @param {IFeaturePolicyOptions} options The options
+         * @return {RequestHandler} The Request handler
+         */
+        featurePolicy(options: IFeaturePolicyOptions): express.RequestHandler;
+
         /**
          * @summary Prevent clickjacking.
          * @param {IHelmetFrameguardConfiguration} options The options